Skip to content

fail2ban

29.10.2024

environmnt

  • OS: Debian 12 bookworm
  • Kernel: x86_64 Linux 6.1.0-26-amd64

  • fail2ban/stable 1.0.2-2

install

apt --install-recommends install fail2ban 

Warning

Important to have python3-systemd isntalled too!

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Note

bc .local is persistent

configuration

most default settings are fine. listed are those ive changed.

general

nano /etc/fail2ban/jail.local

ignoreip = 1.2.3.4 110.120.130.140 150.160.170.0/24

Note

private and public ip otherwise you end up in jail (maybe)

bantime  = 60m
findtime  = 10m
maxretry = 5

Warning

after some change fail2ban.service has to be restarted

sshd

Info

ssh public key authentication ssh-keygen -t ed25519 has been generated and PermitRootLogin prohibit-password in /etc/ssh/sshd_config is enabled so f2b-sshd isnt really necesarry bc there is no passwordlogin available

nano /etc/fail2ban/jail.local

[sshd]
backend = systemd
enabled = true
port    = ssh
logpath = %(sshd_log)s

backend = systemd MUST be first line otherwise its not working. issue is well known.

vaultwarden

Info

2FA is enabled thus f2b-vaultwarden isnt really necesarry bc bruteforce wouldnt be successfull. mitm attack is a possible scenario

f2b files

Info

vaultwarden is installed through docker container like caddy reverse proxy

nano /etc/fail2ban/filter.d/vaultwarden.local

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

nano /etc/fail2ban/jail.d/vaultwarden.local

[vaultwarden]
enabled = true
port = 80,443,8081
filter = vaultwarden
banaction = %(banaction_allports)s
chain = FORWARD
logpath = /var/lib/docker/volumes/vaultwarden/_data/vaultwarden.log 
maxretry = 5
bantime = 3600
findtime = 600

fail2ban-client set vaultwarden unbanip 1.1.1.1

caddyfile

vaultwarden.heyandy.org:443 { reverse_proxy vaultwarden:80 {. header_up X-Real-IP {remote_host} } }

Note

header_up X-Real-IP {remote_host} has to be added in caddyfile, otherwise local ip of container will be shown in vaultwarden.log

compose.yaml

env for vaultwarden/server:latest must be extended otherwise there are no logs from vaultwarden for login failures and thus fail2ban cant ban

environment:
    LOG_FILE: "data/vaultwarden.log"
    EXTENDED_LOGGING: "true"
    LOG_LEVEL: "warn"

start & troubleshoot

systemctl enable fail2ban (if necesarry) systemctl status fail2ban (*.service; enabled; preset; enabled; Active: active (running))

fail2ban-client start (if necesarry; it displays the cause if not succesfull)

fail2ban-client status fail2ban-client status sshd fail2ban-client status vaultwarden

systemctl restart fail2ban.service journalctl -f less /var/log/fail2ban.log

grep -srni "journalmatch" /etc/fail2ban/filter.d/

Note

useful to see which service is binded to each jail (doesnt work with docker container bc service is running in docker.service)

fail2ban-client set sshd unbanip

Tip

can be used to test if client is working to try unban none existence ip

fail2ban-client set sshd banip

iptables -L f2b-sshd -v -n --line-numbers

fail2ban-client set vaultwarden unbanip

Tip

can be used to test if client is working to try unban none existence ip

less /var/lib/docker/volumes/vaultwarden/_data/vaultwarden.log iptables -L f2b-vaultwarden -v -n --line-numbers

help

fail2ban

  • https://wiki.archlinux.org/title/Fail2ban
  • https://www.the-art-of-web.com/system/fail2ban/
  • https://seifer.guru/2021/01/2021-01-fail2ban-with-nginx-in-container/
  • https://github.com/fail2ban/fail2ban/commit/d0d07285234871bad3dc0c359d0ec03365b6dddc
  • https://docs.docker.com/engine/network/packet-filtering-firewalls
  • https://www.reddit.com/r/selfhosted/comments/srrg7n/fail2ban_and_docker/?rdt=41758
  • https://forum.openwrt.org/t/resolved-fail2ban-and-iptables-ip-bans-not-blocked/90057
  • https://github.com/fail2ban/fail2ban/commit/d0d07285234871bad3dc0c359d0ec03365b6dddc

sshd

vaultwarden

  • https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
  • https://github.com/dani-garcia/vaultwarden/issues/973
  • https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
  • https://github.com/dani-garcia/vaultwarden/wiki/Logging

nextcloud